TRENDING

2011: The year of the breach

By William Jackson

Dec 15, 2011

This was the year in which we came to accept the fact that we could not depend on our defenses to protect us from cyber intrusions. The cybersecurity focus began to shift more to response and mitigation as we realized that compromise is a fact of life.

“If someone really has you in their sights, they’ve got you,” Tim Roxey, director of risk assessment at the North American Electric Reliability Corp., said in August when NERC announced that it had issued two threat alerts to power distributors.

A group of C-level executives participating in a Washington discussion of cybersecurity in September agreed that despite the number of headlines generated by recent high-profile breaches, the instances of advanced persistent threats reported in the press are only the tip of an iceberg and organizations should assume that they already have been or will be breached.

The conclusion was, if you can be sure that you have no malware lurking in your network, you either have nothing in your network worth stealing or you don’t know what is going on.

There were not necessarily more breaches in 2011 than in previous years, but the persistent drumbeat of high-profile or just embarrassing incidents made it clear how difficult it is to defeat the bad guys in an asymmetrical game in which the defense must maintain a perfect score.

For a while the most serious threats shifted away from brute force attacks relying on extensive botnet resources to more sophisticated and targeted attacks that crept in under the radar. The attackers bided their time, picked their targets and crafted blended threats that relied on clever social engineering as well as technology to land big phish and infiltrate systems.

But just as we thought APTs were the only thing we had to worry about, the smash-and-grab artists of LulzSec and Anonymous reminded us that low-tech attacks against known vulnerabilities in websites also could expose a lot of sensitive information.

Here are a handful of incidents that characterized the threat landscape over the past year.

Stuxnet

Strictly speaking, Stuxnet does not belong in 2011. It was discovered as early as July 2010 and could have been in the wild for a year or more before that. But speculation on and study of the structure, origins and mission of this highly targeted worm, which appears to be the first militarized piece of malware in the wild, have occupied a lot of people this year.

There is much we still do not know about the worm’s origins, but we can be pretty sure that its target was Iranian uranium enrichment facilities, and it seems to have succeeded. The most likely developer, based on the assumed target and the worm’s sophistication, would be a government or governments opposed to Iran’s nuclear aspirations. The United States and/or Israel come to mind, but there has been no confirmation of this.

Although it is sophisticated and dangerous, Stuxnet is not a superworm, according to research presented at the Black Hat Federal Briefings earlier this year. An analysis shows it to be a combination of sophisticated and flawed work, most likely the product of a partnership between several entities with varying levels of expertise and resources, said cybersecurity researcher Tom Parker, director of security consulting services at Securicon.

Some implementations, such as the command and control channel used by Stuxnet, were simplistic and unprotected, making it unlikely that it is the work of a Western nation with a great deal of technical expertise. On the other hand, it showed a good understanding of the specific hardware it was targeting.

Stuxnet’s ability to target and damage hardware, and the fact that thousands of copies of it have been found around the world, naturally made a lot of observers uneasy as they waited for the next version of it to appear, which was not long in coming.

Duqu: Son of Stuxnet

Duqu gained attention late in 2011 because it appears to include source code from the Stuxnet worm, according to researchers at Symantec Security Response, and it exploited a zero-day vulnerability in the Windows kernel to install itself on infected computers.

Although the code appears to be nearly identical to Stuxnet, Duqu appears to have an entirely different purpose. Rather than attacking an industrial control system, it apparently gathers information from targeted organizations, like more traditional malware.

Symantec has called Duqu “essentially the precursor to a future Stuxnet-like attack,” which now is operating in an information-gathering phase. The number of confirmed infections is limited and the information so far is incomplete, but Symantec has tracked it through six possible organizations in eight countries: France, the Netherlands, Switzerland, Ukraine, India, Iran, Sudan and Vietnam.

Other security vendors have reported infections in Austria, Hungary, Indonesia, the United Kingdom and Iran. The exact number of organizations and their identity are not known because some infected IP addresses are traceable only to a service provider. This also makes it difficult to say why these organizations have been targeted and what the goal of the campaign is, Symantec researchers said.

Microsoft issued a security advisory in November with a workaround on the vulnerability being exploited. The workaround denies access to the graphics driver managing font displays. The company said the vulnerability is caused when a Windows kernel-mode driver, the Win32k TrueType font parsing engine, fails to properly handle the TrueType font type.

The RSA breach

RSA, the Security Division of EMC Corp., announced in March that it had been the victim of an “extremely sophisticated” attack that harvested information about the company’s SecurID two-factor authentication product.

Executive Chairman Art Coviello said the company was breached by an advanced persistent threat, a broad class of computer attack that typically uses complex and often multiple exploits to quietly circumvent system defenses and gather information. Coviello, speaking earlier in the year at the RSA Security Conference, had warned against such targeted and sophisticated attacks.

SecurID is a two-factor identity authentication scheme widely used in industry and government to control access to sensitive resources. It uses a Personal Identification Number and a token that generates a new one-time passcode every 60 seconds in synchronization with the application being accessed to prove the identity of the user.

In the wake of the attack, the company temporarily halted distribution of the SecurID token and warned customers to take addition precautions to secure information about tokens already in use. Although the company acknowledged that token data had been stolen, it said that information obtained would not allow a compromise of SecurID without additional information from customers. It also warned customers to lock down SecurID Authentication Manager databases, review recent logs for unusually high rates of failed authentication attempts, establish strong PIN and lockout policies, and educate help desks and users to avoid social engineering attempts to gain information.

It was widely believed that source code and seed numbers used with the SecurID algorithm to generate passcodes had been stolen. Although some observers said this did not present a great risk to users, others waited for the next shoe to drop. That came in June.

Lockheed Martin attacked

A little less than three months after the RSA breach, the company confirmed that stolen SecurID data was used in an attack against defense contractor Lockheed Martin.

The attack apparently was not successful, but it was described as having been carried out by the some foes who breached RSA, or who had access to the data that had been stolen. RSA sought to reassure customers with a statement that “whoever attacked RSA has certain information” about the product, “but not enough to complete a successful attack without obtaining additional information that is only held by our customers.”

But the attack against Lockheed Martin apparently used a list of seed numbers used to generate one-time SecurID passcodes to spoof a legitimate passcode. Researchers believe that a keystroke logger was placed on a computer used for remote log-in to the defense contractor’s network, possibly through a spear phishing attack, and was able to steal a user ID, PIN and several one-time passcodes. With this information, the attacker was able to determine the seed number being used and in turn use it to generate a legitimate passcode.

In April, Oak Ridge National Laboratory shut down its e-mail and Internet access after a successful phishing attack infected its network with what a spokeswoman called “very sophisticated” piece of malware apparently designed to gather information from the Energy Department lab’s network.

E-mail service was re-established within a few days, but Internet access remained shut down for more than a week as technicians worked to identity, isolate and clean up the malicious code.

Lab spokeswoman Barbara Penland said the lab was the target of a phishing attack that began April 7.

“We received over 500 phishing e-mails that were specifically targeted to the lab and appeared to be from the benefits department,” she said. The e-mails included a “more information” link, which several people clicked. The malicious site then infected the computers, one of which allowed access to the lab’s network. Through that connection, additional malware was introduced into the network, apparently intended to collect technical information and send it out of the lab. Internet access was cut off to prevent the export of information.

Oak Ridge is managed for the Energy Department by the University of Tennessee and Battelle LLC and conducts basic and applied research in clean energy and other areas. It also is home to Jaguar, a recently upgraded Cray XT5-based supercomputer rated one of the fastest in the world.

The attack began one day after the Homeland Security Department’s US-CERT issued an advisory warning against targeted phishing attacks, and officials confirmed that a number of other Energy Department labs and agencies had been targeted by similar attacks. They would not be the last.

More DOE labs attacked

On July 1 two more labs were attacked and were taken offline while they purged their systems of malicious code, identified as an APT.

The Pacific Northwest National Laboratory located in Richland, Wash., shut down its public website, Internet access and e-mail service due to what spokesman Greg Koller called a “sophisticated cyberattack.” About the same time, the Thomas Jefferson Laboratory National Accelerator Facility in Newport News, Va., also went offline for a period after an attack was discovered. It restored Internet services and began rebuilding its public website soon afterward.

Battelle Memorial Institute of Columbus, Ohio, which manages the Pacific Northwest Lab and several others for the Energy Department and the United Kingdom, also came under attack July 1. E-mail and outside access were shut down over the July 4 holiday weekend but were restored July 5.

Koller said PNNL routinely repels more than 4 million probes and attempts against its external network defenses every day. “The vast majority of these attacks are simple to detect and defend,” he said. “This attack is much more sophisticated."

Pacific Northwest was offline for nearly two weeks. DOE reported that no sensitive information was compromised, although there was what was described as “minimal exfiltration” of non-sensitive documents, many of which already were publicly available.

CIO Jerry Johnson said teams at Pacific Northwest found multiple malicious codes and tools as a result of the breach. Johnson described the malware as an APT but did not give details. He attributed the length of time it took to clean up from the incident to the size and complexity of the IT environment, which includes petabytes of software and information and tens of thousands of devices linked to a 10-gigabit/sec. research network.

Hacktivism

The midyear was dominated by hacktivism performed by a number of loosely organized groups, including those going under the names LulzSec and Anonymous. In June they announced they had declared war on government websites. They were responsible (or not, depending on whom you believe) for a rash of smash-and-grab attacks against poorly defended but sometimes high-profile sites.

Victims included the U.S. Senate, the International Monetary Fund, the CIA and the Atlanta chapter of the FBI-affiliated InfraGard. Local police department sites also were breached, and in some cases personal information was stolen and posted later online.

In July it was announced that an unsecured server at government contractor Booz Allen Hamilton had been broken into and some 90,000 military e-mails and password hashes copied.

Security experts condemned the attacks as preventable, for the most part relying on unsophisticated techniques. LulzSec described the CIA attack as a simple packet flood, which overwhelmed a server with the volume of traffic. A technique called Slowloris also apparently was used, a low-bandwidth attack that ties up server connections by sending partial requests that are never completed. Such an attack can come in under the radar because of the low volume of traffic it generates and because it targets the application layer.

The attacks apparently thrived on the attention they generated for the perpetrators. “If we stop talking about it, it will stop,” said Kevin Haley, a director of Symantec Security Response.

The online campaign appeared to peter out as the real-world Occupy Wall Street movement took over the activist spotlight later in the year.

inside gcn

Reader Comments

Fri, Dec 16, 2011
Don Martin
Alexandria, VA

Unless you put the security in the data and NOT everywhere around it, you can expect to be compromised. Forget network security, IDS and layers upon layers of expensive risk mitigation - they don't work. We'll give the adversary all of the data, let them store it for you, move it across their network - they will never be able to see it. No brute force attack, no man-in-the-middle, no playback - ever. Protect the data and lose the incentive to attack the server. The technology exists.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.